This week’s conversation in the CISO Twitterverse showcases a few approaches that are literally outside-of-the-box, and by “box” I mean the network perimeter. Cloud adoption has forced a paradigm shift in the security landscape. As systems of record move off-premises, companies must find ways to extend security capabilities beyond their physical walls. Additionally, enterprises are increasingly concerned that their network perimeter is not foolproof and that Shadow IT has become a primary exfiltration path for compromised data. Let’s take a look at the alternatives to the traditional perimeter security model.

Dmitri Alperovitch, CTO at CrowdStrike, explains the shortcomings of focusing on the perimeter, pointing out that current slow detection times for breaches are a central concern for enterprise security. Leveraging multiple vectors of behavioral risk, including role and behavior across applications, can help in timely detection of suspicious activity.

Dmitri_Alperovitch_on_Twitter___My_new_blog_at__DarkReading__Malware-centric_defense_is_doomed__Need_to_also_look_for_adversaries__http___t_co_kjRTbxYDh8_

The cloud often gets a bad rap from a security perspective, but Latha Maripuri, CISO at NewsCorp debunks this myth with an article on why cloud is just as, if not more, secure than on-premises servers. As an example, recent breaches at Anthem, JP Morgan, Sony, and Target all involved datacenters, not cloud services. Cloud service providers actually have much more at stake from a security standpoint since a breach could completely destroy confidence in their product and put the company out of business. They also have more resources to dedicate to security. At the same time, companies are responsible for ensuring employees use these services in secure ways and for securing cloud-based system of records.

Latha_Maripuri_on_Twitter___The_Cloud_Could_Be_Your_Best_Security_Bet__http___t_co_xSgbR8QEqJ_

With the overwhelming variety of threats being thrown at security teams, executives have called for instilling an organizational culture of security. Nikk Gilbert, former US Department of Defense CISO, shared an article on an essential component in a security-aware organization: user education. Especially given the prevalence of compromised credentials through phishing scams, security training can be one of the most effective and low cost initiatives to add on to typical security tools.

Nikk_Gilbert_on_Twitter___So__You__Don_t_Believe_In__Security_Education__http___t_co_trBqyVRwHA_

Dan Lohrmann, former State of Michigan CSO, raised another common misconception: that checking boxes to achieve compliance ensures an organization is secure. In the article he shares highlights the case of Premera, which was breached shortly after auditors declared the organization HIPAA compliant.

Dan_Lohrmann_on_Twitter___Good_article_on_why_compliance_alone_is_not_enough_for_security____https___t_co_LvvSRDlmBT_

Then there’s the response when all else fails: cyber-insurance. Ben Beeson of Lockton Companies shared a post which states that financial institutions are scrambling to purchase insurance against cyber attacks. This comes as part of a larger trend in which information security risk is becoming one of the top priorities when it comes to corporate risk mitigation, especially from the board of directors’ perspective. For those attending RSA, look for this theme to play a prominent role and catch one of the sessions on the board’s role in cyber-security.

Ben_Beeson_on_Twitter___Cyber_risk_the_most_serious_threat_to_business__says_Lloyd_s_chief___via__Telegraph_http___t_co_x8iVNqUy4l_

Cloud Security Report Template

This essential template provides an outline of how to present your cloud usage and security.

Download Now